SSNs and more lifted from a server. Students, alumni, and employees affected.

Personal information for as many as 300,000 people at Northwest Florida State College has been exposed by a data breach that lasted for at least four months. Victims run the gamut of people on campus, including students, prospective students, and current and retired employees. The breach has already lead to at least 50 cases of identity theft, resulting in loans and credit cards being issued in the names of school employees.

The data was stolen from a shared folder on the college's main file server, and it contained social security numbers and dates of birth for over 200,000 Florida students from across the state who had applied for scholarships. The data also encompasses payroll and Direct Deposit information for many employees and retirees. In a memo to all employees (PDF) sent out on October 8, Northwest Florida State College President Dr. Ty Handy said that information had been gleaned from multiple files in a folder on the college's main server.

"No one file had a complete set of personal information regarding individuals," Handy wrote. "However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees."

Those employees' identities were used to obtain "pay-day" loans from PayDayMax, Inc. and Discount Advance Loans, as well as to obtain Home Depot credit cards. The loans were set up for payments to be automatically deducted from the victims' bank accounts. The college is still investigating which students' records were exposed.

The data was stolen from a shared folder on the college's main file server, and it contained social security numbers and dates of birth for over 200,000 Florida students

ಠ_ಠ.... that bit about it being part of a shared folder doesn't appear in the article linked or the .pdf as far as I could see - but regardless this is absurd. These colleges know they're holding sensitive personal information and if they're not up to the task of securing it properly they ought to store it off-site with someone else who can. They act like it is some surprising new thing that hackers are able to effectively data mine and piece together information from a variety of files/sources. I would be pissed if I was a student or even had applied to this college.

The college is still investigating which students' records were exposed.

The simple solution would be to inform all their students that this happen. They should offer identity theft protection to every single student. Each employee responsibe for this breach should also be fined a billion dollars for being idiot.

@CBoy: To match up your ACT/SAT scores as part of the admissions process. SSN is the best key to match people on until we have some other universally agreeed on unique identified.

Ridiculous. Every ACT/SAT could be given a unique key, and that key passed on by students, and this could be implemented almost immediately. This is merely the continuation of a decades-long mistake of abusing the SSN as an identifier when it is intended for other purposes and provides dangerous access to private information.

@CBoy: To match up your ACT/SAT scores as part of the admissions process. SSN is the best key to match people on until we have some other universally agreeed on unique identified.

Ridiculous. Every ACT/SAT could be given a unique key, and that key passed on by students, and this could be implemented almost immediately. This is merely the continuation of a decades-long mistake of abusing the SSN as an identifier when it is intended for other purposes and provides dangerous access to private information.

To be pedantic the real problem is the use of the SSN as an authenticator and identifier. As in "Oh, you know so and so's SSN so you ARE so and so".

Having worked at a 2 year college, I can tell you I'm not at all surprised. The smaller colleges are always extremely cheap, both in direct resources and in the number of people they have to make changes. At my college, for the longest time, they had the students SSN printed on the front of their student id as a barcode. Even now, they haven't stopped using SSN in most of their internal processes, and they have to use a lookup table to jump back and forth between their student id and ssn simply because of the number of people and time it would take to track down all uses of SSN and change it (as well as adequately test things - we used to have a lot of bugs get through simply because the users didn't want to take the time to test things and simply signed off that it worked fine).

Of course, I was never a programmer myself (I just worked near them) so I can't claim this was from an unbiased source.

Alot of the college's IT departments are very small and woefully underfunded and in some cases are staffed by students. I am not surprised that this happened and ALL other colleges should review their systems.

Ditto to what DigitusImpudicus said. Many college's IT departments are woefully and horribly inadequately funded. Unfortunately this probably won't be a wake up call to the administration of the college - instead it will be head hunting season.

A "shared folder" also doesn't say much. The student network could have been isolated still. It could have been a rogue employee fetching the data from their own departments drive - so permissions may not have been the problem. Instead it could very well be a process issue where someone who had access to the lists was saving them in an area that too many people could access. The "hackers" could merely have been an opportunistic (and malicious) employee.

A "shared folder" also doesn't say much. The student network could have been isolated still. It could have been a rogue employee fetching the data from their own departments drive - so permissions may not have been the problem. Instead it could very well be a process issue where someone who had access to the lists was saving them in an area that too many people could access. The "hackers" could merely have been an opportunistic (and malicious) employee.

When you have people's bank account numbers, you need to take security seriously. It is not acceptable that they were being stored in a place too many people had access to. SSN and bank information should be held to a very high security standard. This kind of thing is far too prevalent. The college should be legally responsible for this.

I seriously don't get US identification laws. Over there (and the UK, for instance) people will throw a fit if you talk about a unique number, or a state-issued ID card, etc. But consider this:

In Portugal, you're issued a birth certificate, well, at birth. With this certificate, you can ask for an ID card. This card has your name, your parents' names, your ID card number and, since recently, your taxpayer number, which for stupid reasons is a different one, a color photo, your fingerprint and your signature. These numbers, images and signature are irrelevant for the purpose of obtaining sensitive info. In fact, some are public. It's the document that's relevant, and accurate identification results from all of its elements: if some action requires identification, you'll want to check that the person looks like the one on the card and can sign like the one on the card. Noone is going to give you any sensitive info of mine or enter into contracts on my behalf based on you knowing my ID card number.

In the US there is no universal identifier. SSN are used as a poor substitute and due to the way they're used have to be kept secret... except they can't be kept secret because everyone keeps asking you for your SSN. As a result, voter registration among other things is laughable, both parties spend their time crying foul and elections in general look like they took place in some third world country... and the US is probably ID theft capital of the world.

My point: maybe having a unique identifying number wouldn't be so bad if done properly, and without all of the orwellian drama about "why does the gumment need to know who i am". Is there a risk for abuse of that info? Sure. But people already put themselves at much greater risk today, whether by using the proxy of SSN, or by spilling their private data somewhere on the 'net .

A "shared folder" also doesn't say much. The student network could have been isolated still. It could have been a rogue employee fetching the data from their own departments drive - so permissions may not have been the problem. Instead it could very well be a process issue where someone who had access to the lists was saving them in an area that too many people could access. The "hackers" could merely have been an opportunistic (and malicious) employee.

When you have people's bank account numbers, you need to take security seriously. It is not acceptable that they were being stored in a place too many people had access to. SSN and bank information should be held to a very high security standard. This kind of thing is far too prevalent. The college should be legally responsible for this.

Why??? I can give out my bank account number as much as I please, nobody can do anything with that alone! The problem (IMHO) is not just the poor keeping of private data, which I agree is a problem. It's the huge problem of inappropriate and insufficient standards for identifying yourself before third parties.

Not that I agree with the practice of taking SS#'s on an application, but at my university, the university itself provided financial aide. In applying for it, the social-security number was a requirement (as it's effectively taking out a loan). It's been years though, since I've been out of college.

My wife and I are both former students at NWFSC. I actually met her in one of my math classes on campus. As far as small state colleges go it really wasn't that bad of a place but it seemed like they were seriously underfunded. I can't imagine they sank a lot into their IT--I hated using their student website--very archaic. That said, while many of the instructors are really quite good (and really dedicated) I can't say that this surprises me at all. I ran into my share of BS while dealing with administration there. The worst part of the college was its Collegiate High School and having to share class time with them.

Many of the instructors (especially in math and science) actually work for the Air Force base (big test and evaluation area) and moonlight at the college. Sounds like this is limited to staff and those who applied for scholarships (like my wife) and probably not any military attending (full tuition already paid). Will have to keep an eye on our stuff.

SSNs are required to prove that you are a US citizen and to check for certain things. The school checks your tax records when considering your application. (believe it or not) Your financial aid goes directly to the school and you are identified by your SSN. If you work on campus, you have to specify your SSN on your I-9 tax form. Your SSN is used all over the place.

Now, what my university has done is replace all uses of the SSN with a unique ID. Everything on campus uses the ID instead of your SSN except where required by law.

This could be the result of a staff admin, not an IT. People rarely take into account security when they do things, like share a folder with Sally down the hall in payroll.

simplyluke: Even if they were stored encrypted, the file share was likely mounted and there fore able to be read anyway. Encryption really only stops someone from reading the disk after it has been removed from the premises. If the server is in place and up, chances are the encrypted files are available to anyone with permission. Encryption is really only useful for communications channels and offlline storage.

simplyluke: Even if they were stored encrypted, the file share was likely mounted and there fore able to be read anyway. Encryption really only stops someone from reading the disk after it has been removed from the premises. If the server is in place and up, chances are the encrypted files are available to anyone with permission. Encryption is really only useful for communications channels and offlline storage.

The files in the shared directory could still be encrypted. If I take my Keepass database and put it in a shared folder it's still encrypted. Of course, the info never should have been in a shared folder in the first place.

To be pedantic the real problem is the use of the SSN as an authenticator and identifier. As in "Oh, you know so and so's SSN so you ARE so and so".

Correct! The SSN is a dandy identifier, but a miserable authenticator. If you doubt that, count the number of people who legitimately have access to your own SSN.

I hate it when people say, "there ought to be a law," but maybe this time there should: It shall be a felony in the umpteenth degree to use knowledge of a Social Security Number to authenticate an identity!

Even the US gov't has finally woken up - all employees and contractors who work with the DoD are issued a CAC (Common Access Card) smartcard. As of last year, they no longer included SSNs.

Instead, every person is assigned a 10-digit number... which, handily, is also their "Prisoner Of War" identifier. I'm assuming it is in case one is taken prisoner as opposed to being assigned in which order we're intended to be captured.

Extending that, all are now assigned an 11-digit "DoD Benefits Number" (DBN), which is a unique 9-digit number that identifies your family, and a 2 digit number representing your position in the family.

As of next year, employees will be able to refuse to give their SSN when dealing with anybody (payroll, housing, medical).

"Those employees' identities were used to obtain "pay-day" loans from PayDayMax, Inc. and Discount Advance Loans, as well as to obtain Home Depot credit cards. The loans were set up for payments to be automatically deducted from the victims' bank accounts."

Erm, why are these companies handing out loans and credit to people who aren't who they say they are ? Both in the UK and Australia you would need *strong* photographic id (ie, driving licence or passport) along with additional proof of residential address (ie, a utility bill) and often a third factor (birth certificate, healthcare card etc).

To hand out credit on presentation of a public number is laughable.

What happens when they try to collect the debt, and it turns out the customer didn't take out the loan in the first place ?!?

Erm, why are these companies handing out loans and credit to people who aren't who they say they are ? Both in the UK and Australia you would need *strong* photographic id (ie, driving licence or passport) along with additional proof of residential address (ie, a utility bill) and often a third factor (birth certificate, healthcare card etc).

To hand out credit on presentation of a public number is laughable.

The US has maintained its standard of living in the last couple of decades thanks to a massive increase of private debt, so it make sense to make credit as easy to obtain as possible.

You can blame that on (feel free to ignore some using your favorite flavor of reality-distortion-field):

Spoiler: show

* working people, who refuse to do collective bargaining, despite it being the only way to get a fair share of the benefits they generate (= stagnant wages, capital get all the benefits), thus have to borrow to keep increasing their "standard of living" (measured in the number of useless gadgets you can afford) * the rich ecosystem of loan sharks (including "honest" credit card companies) that make a fortune lending money at indecent rates * politics, that are really happy to deal with an easy to control population of consumers, instead of a population of citizens, that would ask some form of social justice (most probably in the form of a just tax system) * the marketing droids, that constantly create new desires, pushing people to construct their identities around brands, and using frustration, greed, peer-pressure and the human need to belong to a tribe to push people to consume way beyond what they can afford